APAC Data Protection Overview

Hi everyone, welcome to Cloudflare TV and I have the great joy of introducing a good friend of mine, Sean Tan, to the segment today and we're looking forward to speaking about kind of the data protection landscape in APAC and the changes which are coming up and also kind of what to expect.

So before we get started, I'd like to introduce myself.

My name is Tilly Lang and I'm privacy counsel here at Cloudflare and I had the great honor of introducing Sean Tan, who's a data protection expert in the APAC region based in Singapore and is a data protection consultant for New Law.

So welcome Sean, welcome to Cloudflare TV. Hi Tilly, thank you. Thank you for this opportunity.

It's really exciting to be on television, online TV, Cloud TV.

Exactly, Cloudflare TV. So I think before we get sort of started into the nitty-gritty of exactly sort of what's going on in APAC from a data protection standpoint, I thought it'd be good just to kind of have a bit of a chat about kind of how you got into data protection law because I know not everyone's journey is the same.

Some people fall into it, some people choose it, so I was just wondering kind of what your journey was into data protection and then we can compare stories.

Yeah, well yeah, definitely fell into it. I guess a couple lifetimes ago I was working as a sales attorney and so I was negotiating a lot of contracts with customers on behalf of my sales team and it was a software company and there was a SaaS division, a cloud computing division, and so this was back in 2012, 2013, and so the customers in Asia-Pacific were inquiring a lot about the clauses and especially on data protection and privacy and data security, a lot of them had questions like, well, where is your server located and how do you protect the data, what exactly is the kind of processing you do as our service provider, so I kind of fell into it because these questions came up.

It also came up because I was also supporting the marketing department and so there were a lot of B2C and it's almost B2B advertising, marketing, legal support that came up and a lot of it also related to privacy and data protection and that's how I kind of fell into it, just addressing, helping the colleagues in these departments, helping sales team kind of navigate some of these questions.

Yeah, it's interesting because I kind of started off my career in corporate governance, so I'm a lawyer by trade but I worked for sort of a large US conglomerate for a while sort of in the corporate governance team and we supported the sort of businesses globally and it was one of those things when I started off my career where obviously it was important but nobody kind of knew where to put data protection, so it was one of those things, like a lot of things in an organization still to this day where it doesn't sort of have a specific team or allocation sort of gets passed over to the corporate governance team in the first instance, so that was kind of my first introduction to data protection and then obviously with the GDPR coming into play but even before that there was kind of this growing awareness sort of that data protection was going to sort of take a new life form, shall we say, and obviously in Europe in particular with the GDPR coming into play in 2018, it definitely did and the lead up to that and yeah, we find ourselves where we are today in the data protection landscape which is changing a lot, a lot of countries are enacting new data protection laws and more and more and more are coming, either enacting new laws or sort of doing reviews to their current laws, so it's definitely interesting but I think as well, sorry Sean, I was just going to say I think as well sort of with 2020 and obviously we know with sort of the coronavirus pandemic that's definitely kind of shone a new light on handling of personal data, especially sort of from the government's point of view but also from health care companies and things along those lines, so it's definitely an interesting field, I have to say and I'm enjoying working at it but I have to admit every day is a sort of a school day in terms of there's definitely something new to learn, if it's not new laws coming out there's definitely questions that get sort of raised that you haven't thought about or challenges that come up you have to deal with, so yeah it's a good field.

Well you can turn to no better place than the APAC region for challenges, that's for sure.

Exactly, exactly, well so I mean so on that standpoint, the APAC region is, well I mean we'll get into it in a second, but is sort of is an absolute mixture from a data protection point of view but also from sort of a cultural and jurisdictional point of view, so I mean just what would be super interesting is if you could just kind of give us an overview of how sort of data protection awareness has developed in the region and sort of the local sort of twists that some jurisdictions have put on it and kind of where we are today.

You're right, APAC is very different as a region compared to say the US or Europe, you know in the US we view the US as a single country and the European Union as some sort of supranational, somewhat federal -like, you know group of member states, right.

There's definitely no equivalent in APAC and so each country you know could be doing something and it feels like it's a hodgepodge of data protection regimes across the region and awareness is an interesting I guess perspective to it, it really depends on the maturity level of the data protection regime as well as the people in that particular country.

Typically I would find for instance New Zealanders more aware of the privacy rights and more concerned about privacy and data protection versus a lot of the other perhaps emerging markets within APAC and so a lot of it would really depend on political culture, societal norms, you know we're in certain countries in APAC where you know there's a huge level of trust placed onto their governments and their politicians so there's this expectation that governments are meant to take care of them including looking out for their privacy and data protection rights.

So other considerations would be for instance education levels of population and that could be based on for instance age or obviously geography, how aware are people of their privacy rights that's down to how educated they are about their rights and just because people are aware doesn't mean they actually behave as though they are truly concerned.

How many people in APAC actually or just generally actually read privacy policies and websites and blockers but I do know that we here in Asia love our selfies and so posting photos or tagging ourselves in specific locations on social media that's the norm and it's interesting because there are surveys on this and I believe I shared with you a particular marketing survey that revealed that consumers in certain countries in APAC may not be entirely opposed to for instance negotiate or bargain with businesses for the use of the consumer's data by those businesses and I think the statistics was two-thirds of consumers in New Zealand are less likely to consider a product or a service from a business if their data is used but if you compare it to say Indonesia I think that the survey revealed that only 36 percent would be similarly less inclined.

Yeah it's definitely interesting when you see these type of surveys and even just thinking about my behavior as a privacy specialist and I know the pitfalls it's sometimes you get into this dilemma of convenience over privacy rights and where you kind of sit in that spectrum let's say but it definitely sort of is interesting especially sort of with the cultural and jurisdictional aspects thrown in.

Yeah I mean culturally I personally live up to the Asian stereotype always wanting a a good bargain you know it's like oh can I get two free grips instead of one right so you know and it's interesting you know individuals versus businesses individuals versus the state in terms of negotiating their privacy and their privacy rights.

Yeah so kind of on that note I think it'd be really helpful just sort of for the audience as well if you give us sort of a bit of an overview of sort of the current state of protection laws in APAC.

I know that's a huge topic so I know we'd probably need a three-hour segment to go through all of them and be able to take notes but just sort of just high level in particular I know there's been some recent data protection changes in Singapore so that would be great to hear about and just kind of give us a bit of a flavor over sort of where APAC is with their sort of data protection laws sort of maturity.

Sure it's a whole spectrum lots of changes you mentioned Singapore absolutely right in fact the first I guess the first set of or batch of amendments that were passed last year have come into effect as of I think last week and really no surprises because this has been in the pipeline for a while now the regulator had been trying to get mandatory breach notification going for a while so that's finally you know in the books.

Looking at exceptions to consent a lot of the APAC data protection regimes are very you know consent centric and so Singapore is also not an exception on that front but what the amendments have done is they've also introduced for instance legitimate interest as you know an exception to consent an alternative basis for processing so and of course you know with every new update to the law we only see increases in penalties and maximum penalties you know sticking carrots right so for Singapore it's you know maximum financial penalty of 10 million or if you are a business with you know annual turnover beyond that then it's 10 percent.

So yeah so quite a bit going on not just in Singapore Thailand has passed its own version of the GDPR I guess you know there was an exemption though but that expires 31st of May this year so it will come into effect properly in June.

New Zealand amended their laws recently to also include mandatory breach notifications one of the things that they've done is they've made it really clear that hey if you are a business and you're carrying on business even without any physical presence in New Zealand but you know you for instance offer products and services to people in New Zealand then the law would apply so that came out of this little tiff that the regulator had with Facebook so okay.

And just on top of that as well even though the Kiwis have amended their laws recently the commissioner has recently stated that you know they're looking at you know further amendments so sounds like it's a continuous update continuous updating process.

Yeah and do you find that when sort of these laws are amended or changed that they're kind of moving more towards kind of the GDPR standard or do you find that they're kind of taking on a bit of a life of their own in terms of cherry-picking what's sort of working with the GDPR but then sort of leaving out aspects which may be kind of more problematic to businesses let's say?

Yeah definitely each regulator in the region seems to to look for inspiration I suppose that's the best way of putting it by looking at the GDPR.

I think that's not going to change the GDPR is very influential in terms of of the type of provisions that regulators across Asia-Pac would like to see and certainly regulators in the APAC region do find value in a lot of these GDPR provisions.

That said it's not it's not a wholesale cut and paste job just as an example China in its draft I believe they released their draft personal information protection law which is really I guess the other version of GDPR very you know a lot of provisions very similar to GDPR but they've for instance left out legitimate interests you know and they've kind of you know they've kind of emphasized the data localization requirements as well so so it's interesting because we do see bits and bobs that regulators feel like they need to update you know looking at how automated decision-making processes are conducted looking at for instance data subject rights such as portability which may not be in in the existing data protection law because that particular law for that particular country was passed a while ago and and so there is a need there is a case certainly to look at updating these existing laws for these countries and then for those countries that never did have an omnibus type of you know data protection or privacy law you know they definitely turn to the EU for for like I said inspiration.

Yeah absolutely and the one thing I kind of just want to touch upon as well is I've seen the sort of voluntary model contractual causes have been released sort of in the APAC region I was wondering if we could just sort of discuss that and obviously being in the data protection world we sort of know from the summer of 2020 with the Schrems 2 judgment coming on and a lot of attention around sort of international transfers from the EU to third countries was quite the topic in the summer of last year and I was just wondering sort of if you could give us a bit of a overview of these model contractual clauses sort of where they've come from and also from what I've seen although keep me honest here they are voluntary at the moment but there do you see them developing into sort of a similar type of requirement like standard contractual clauses in the EU or how do you see them developing?

Yeah definitely a good one the association of Southeast Asian nations or ASEAN so that's really the kind of platform and ASEAN as a community of nations you know have been looking at data, digitalization of economy, e-commerce you know things that really any other government would kind of look at as well and so this has come out as part of that wider overarching I guess viewpoint and the desire to kind of grow the economies and prepare the economies the ASEAN economies for the digital world you know I guess yeah so yes so in terms of the model contractual clauses they are voluntary there are two variants so they have been I guess inspired by the SCCs under the 95 directive or rather than the new draft SCCs that were released a few months ago by the commission so two variants you know controller to controller, controller to processor and what is interesting would be it's meant to be I guess a way that legitimizes data transfers within the community of nations and so there are optional clauses that are meant to tailor these clauses according to the local data protection laws.

What is interesting as well is unlike the 95 directive SCCs there are I guess interesting clauses in there which deal with the rights of data subjects versus sub-processes and so we don't know you know whether that's something you know I guess regional MNCs in Southeast Asia will kind of really really I guess adopt these model contractual clauses.

Perfect and I just want to we touched upon when we were discussing kind of the different jurisdictional requirements with data protection we touched upon data localization a bit and I was wondering if we could kind of revisit that because even though sort of not legal requirements in a lot of jurisdictions the data localization discussions is becoming kind of more and more prominent especially sort of with organizations and in some jurisdictions they are actually adopting data localization requirements into law so I was just wondering in the APAC region if we could just discuss that in terms of if what pieces of legislation or which jurisdictions I should say have data localization requirements and sort of what sectors as well that they affect.

Sure so I'd like to start off by saying that data localization laws aren't actually I guess new or unusual in any way and it's not an APAC thing.

A lot of countries have it you know financial data of data subjects you know health records of data subjects you know can't be offshored so and so it's really no different in that sort of way for a lot of the sectors you know that are you know I guess regulated you know players in banking and finance and telecommunications and health healthcare.

So Australia, Japan, I believe South Korea as well you know health records you know have to be locally stored.

In India I believe it's banking and financial you know payments data will need to be I believe that's a requirement of the Reserve Bank of India.

Credit information for I think it's Thailand so these are you know not surprising.

We also see data localization laws that I guess data protection and privacy specialists like you and me would be you know would kind of raise an eyebrow on would be really the kind of cyber security and data protection laws that we find in for instance Vietnam, Indonesia, and China.

So for instance Vietnam you know they've got requirements in their cyber security law.

Indonesia they have a requirement that if you are considered a public you know electronic system operator you've got to keep your data locally.

And then there's also a separate process that you need to coordinate with the ministry communications and informatics I believe to kind of coordinate and report back on the transfer out of Indonesia.

So I think we definitely see a trend of data localization laws but it's very it's also from a country standpoint is very negotiated in that you know the governments feel inclined to have data localization laws as a political reaction towards for instance the US because of this the Snowden revelations right.

And then the businesses foreign businesses then reframe this as look you know data localization laws are effectively trade barriers and and you know that's that's not great and there's a lot of political lobbying to either water down these provisions or to convince governments to forego such provisions.

Perfect so I think just the ultimate question so if you had to sort of recommend or advise sort of companies that are either currently operating in APAC or looking to sort of open up operations APAC what what suggests what top three recommendations would you make to sort of the the companies to look at for the privacy programs?

Well top three well I think firstly if if you are coming with your global privacy program I think focus on the commonalities you know certain principles don't change accountability transparency certain obligations you know security retention minimization purposeful processing these things don't really differ so so I think that kind of gets your compliance program quite quite a long way down the road and then when you look at the the local nuances then it's really I guess a two -pronged approach figuring out you know applying an 80-20 rule so that's that's my my second thing applying it to 80-20 rule on the the local nuances to see look what what can be done as a matter of compliance and and the third one is is to really to really be I guess an active participant in in that sort of regulatory engagement I think that's that's key I don't think regulators are are I guess indifferent towards business concerns they they would view the business community as a stakeholder for a lot of the countries in APAC and so you know it's about demonstrating compliance and telling the regulator hey this is you know this is how we operate this is how we this is how our program works and and shed you know the concerns the legitimate concerns on on how the practical limitations of perhaps some of these local nuances can be and have that sort of active engagement with the regulators and and that usually I think helps because it's a two-way conversation absolutely well Sean what can I say it's been an absolute pleasure thank you so much for kind of walking us through the data protection landscape in APAC I know there's a lot going on and still going on and I think 2021 is going to be a year as well to kind of look out to see sort of the changes which are happening in APAC for data protection but as always it was a pleasure speaking with you and thank you so much for joining us on Cloudflare TV.

Thank you so very much to Lee for organizing together with the Cloudflare TV team and look forward to catching up again.

Take care, bye-bye. you